build: Add version bump workflow

Author: p-marcin

.github/actions/prepare/action.yml

@@ -36,7 +36,7 @@ runs:
           *) echo "Unsupported RUNNER_ARCH: $RUNNER_ARCH"; exit 1 ;;
         esac
         echo "ARCH=${ARCH}" >> "$GITHUB_ENV"
-        echo "JDK_VERSION=$(xmlstarlet sel -N "n=http://maven.apache.org/POM/4.0.0" -t -v "/n:project/n:properties/n:jdk.version" "pom.xml")" >> ${GITHUB_ENV}
+        echo "JDK_VERSION=$(xmlstarlet sel -N "n=http://maven.apache.org/POM/4.0.0" -t -v "/n:project/n:properties/n:graalvm-jdk.version" "pom.xml")" >> ${GITHUB_ENV}
         echo "SYFT_VERSION=$(xmlstarlet sel -N "n=http://maven.apache.org/POM/4.0.0" -t -v "/n:project/n:properties/n:syft.version" "pom.xml")" >> ${GITHUB_ENV}
         echo "SYFT_SHA256=$(xmlstarlet sel -N "n=http://maven.apache.org/POM/4.0.0" -t -v "/n:project/n:properties/n:syft.sha256.linux-${ARCH}" "pom.xml")" >> ${GITHUB_ENV}
         echo "UPX_VERSION=$(xmlstarlet sel -N "n=http://maven.apache.org/POM/4.0.0" -t -v "/n:project/n:properties/n:upx.version" "pom.xml")" >> ${GITHUB_ENV}

.github/workflows/call-release.yml

@@ -9,6 +9,11 @@ on:
         required: true
       JDHEIM_GPG_PASSPHRASE:
         required: true
+    inputs:
+      draft-release:
+        description: "Create draft release"
+        required: true
+        type: string
     outputs:
       version:
         description: "Release Version"
@@ -65,7 +70,7 @@ jobs:
           JRELEASER_GPG_PASSPHRASE: ${{ secrets.JDHEIM_GPG_PASSPHRASE }}
           JRELEASER_SIGNING_ACTIVE: ALWAYS
           JRELEASER_ASSEMBLE_ARCHIVE_TOOLFETCH_ACTIVE: ALWAYS
-          JRELEASER_DRAFT: true
+          JRELEASER_DRAFT: ${{ inputs.draft-release }}
         with:
           version: latest
           setup-java: false

.github/workflows/call-version-bump.yml

@@ -0,0 +1,93 @@
+name: "Call: Version Bump"
+
+on:
+  workflow_call:
+    secrets:
+      JDHEIM_ACTIONS_BOT_CLIENT_ID:
+        required: true
+      JDHEIM_ACTIONS_BOT_PRIVATE_KEY:
+        required: true
+    inputs:
+      version-bump-type:
+        description: "Part of the version to bump: major, minor, or patch"
+        required: true
+        type: string
+      draft-release:
+        description: "Create draft release"
+        required: true
+        type: string
+
+jobs:
+  version-bump:
+    name: "Version Bump"
+    timeout-minutes: 15
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Generate Token of jdheim-actions[bot]"
+        id: jdheim-actions-bot-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.JDHEIM_ACTIONS_BOT_CLIENT_ID }}
+          private-key: ${{ secrets.JDHEIM_ACTIONS_BOT_PRIVATE_KEY }}
+
+      - name: "Checkout"
+        uses: actions/checkout@v6
+        with:
+          token: ${{ steps.jdheim-actions-bot-token.outputs.token }}
+
+      - name: "Get Version"
+        id: get-version
+        uses: mikefarah/yq@v4
+        with:
+          cmd: yq '.project.version' "jreleaser.yml"
+
+      - name: "Bump Version"
+        env:
+          VERSION: ${{ steps.get-version.outputs.result }}
+          VERSION_BUMP_TYPE: ${{ inputs.version-bump-type }}
+        shell: bash
+        run: |
+          if [[ -z "${VERSION}" ]]; then
+            BUMPED_VERSION="0.0.1"
+          else
+            IFS='.' read -r major minor patch <<< "${VERSION%%-*}"
+            case "${VERSION_BUMP_TYPE}" in
+              major) major=$((major + 1)); minor=0; patch=0 ;;
+              minor) minor=$((minor + 1)); patch=0 ;;
+              patch) patch=$((patch + 1)) ;;
+              *) echo "Invalid version-bump-type: ${VERSION_BUMP_TYPE}"
+                echo "Allowed values: major, minor, patch"
+                exit 1 ;;
+            esac
+            BUMPED_VERSION="${major}.${minor}.${patch}"
+          fi
+          echo "BUMPED_VERSION=${BUMPED_VERSION}" >> "$GITHUB_ENV"
+
+      - name: "Set Version in JReleaser"
+        uses: mikefarah/yq@v4
+        with:
+          cmd: yq -i '.project.version = strenv(BUMPED_VERSION)' "jreleaser.yml"
+
+      - name: "Set Version in Maven"
+        shell: bash
+        run: ./mvnw versions:set -DnewVersion="${BUMPED_VERSION}" -DgenerateBackupPoms=false
+
+      - name: "Verify changes"
+        shell: bash
+        run: |
+          if [[ -z "$(git status --porcelain)" ]]; then
+            echo "No changes to commit. Version increment failed"
+            exit 1
+          fi
+
+      - name: "Commit and Push"
+        uses: IAreKyleW00t/verified-bot-commit@v2
+        if: ${{ inputs.draft-release != 'true' }}
+        with:
+          message: "chore: Bump version to ${{ env.BUMPED_VERSION }}"
+          ref: ${{ github.ref_name }}
+          token: ${{ steps.jdheim-actions-bot-token.outputs.token }}
+          files: |
+            **

.github/workflows/release.yml

@@ -3,6 +3,24 @@ run-name: "${{ github.workflow }} • ${{ github.ref_name }} • ${{ github.even
 
 on:
   workflow_dispatch:
+    inputs:
+      version-bump-type:
+        description: "Part of the version to bump"
+        required: true
+        type: choice
+        options:
+          - "patch"
+          - "minor"
+          - "major"
+        default: "patch"
+      draft-release:
+        description: "Create draft release"
+        required: true
+        type: choice
+        options:
+          - "true"
+          - "false"
+        default: "false"
 
 concurrency:
   group: release-${{ github.ref }}
@@ -56,6 +74,21 @@ jobs:
       JDHEIM_GPG_PUBLIC_KEY: ${{ secrets.JDHEIM_GPG_PUBLIC_KEY }}
       JDHEIM_GPG_SECRET_KEY: ${{ secrets.JDHEIM_GPG_SECRET_KEY }}
       JDHEIM_GPG_PASSPHRASE: ${{ secrets.JDHEIM_GPG_PASSPHRASE }}
+    with:
+      draft-release: ${{ inputs.draft-release }}
+
+  version-bump:
+    name: "Version Bump"
+    needs: release
+    permissions:
+      contents: write
+    uses: jdheim/toolfetch/.github/workflows/call-version-bump.yml@main
+    secrets:
+      JDHEIM_ACTIONS_BOT_CLIENT_ID: ${{ secrets.JDHEIM_ACTIONS_BOT_CLIENT_ID }}
+      JDHEIM_ACTIONS_BOT_PRIVATE_KEY: ${{ secrets.JDHEIM_ACTIONS_BOT_PRIVATE_KEY }}
+    with:
+      version-bump-type: ${{ inputs.version-bump-type }}
+      draft-release: ${{ inputs.draft-release }}
 
   github-slsa-provenance:
     name: "GitHub SLSA Provenance"
@@ -81,4 +114,4 @@ jobs:
       provenance-name: toolfetch-${{ needs.release.outputs.version }}-provenance.intoto.jsonl
       upload-tag-name: ${{ needs.release.outputs.tag_name }}
       base64-subjects: ${{ needs.release.outputs.base64_subjects }}
-      draft-release: 'true'
+      draft-release: ${{ inputs.draft-release }}

README.md

@@ -13,7 +13,10 @@
         <img src="https://img.shields.io/github/actions/workflow/status/jdheim/toolfetch/tests-and-scans.yml?label=Tests%20%26%20Scans&logo=github&logoColor=white&branch=main" alt="Tests & Scans"/>
     </a>
     <a href="https://github.com/jdheim/toolfetch/actions/workflows/scheduled-security-scans.yml" rel="noreferrer">
-        <img src="https://img.shields.io/github/actions/workflow/status/jdheim/toolfetch/scheduled-security-scans.yml?label=Security%20%20Scans&logo=github&logoColor=white&branch=main" alt="Security Scans"/>
+        <img src="https://img.shields.io/github/actions/workflow/status/jdheim/toolfetch/scheduled-security-scans.yml?label=Security%20Scans&logo=github&logoColor=white&branch=main" alt="Security Scans"/>
+    </a>
+    <a href="https://github.com/jdheim/toolfetch/actions/workflows/github-code-scanning/codeql" rel="noreferrer">
+        <img src="https://img.shields.io/github/actions/workflow/status/jdheim/toolfetch/github-code-scanning/codeql?label=CodeQL&logo=github&logoColor=white&branch=main" alt="CodeQL"/>
     </a>
 </p>
 

jreleaser.yml

@@ -1,7 +1,6 @@
 environment:
   properties:
-    graalVmDir: 'graalvm-jdk-25.0.2+10.1'
-
+    graalVmDir: 'graalvm-jdk-25.0.2'
 project:
   name: 'toolfetch'
   version: '0.0.1'
@@ -29,42 +28,36 @@ project:
   languages:
     java:
       groupId: 'com.jdheim'
-
 platform:
   replacements:
     x86_64: 'amd64'
     linux-x86_64: 'linux-amd64'
     aarch_64: 'arm64'
     linux-aarch_64: 'linux-arm64'
-
 checksum:
   algorithms:
     - 'SHA_256'
   individual: true
-
 signing:
   pgp:
     armored: true
     verify: true
     mode: 'MEMORY'
-
 files:
   artifacts:
-    - path: '{{outputDirectory}}/sbom/{{projectName}}-{{projectEffectiveVersion}}-sboms.zip'
-
+    - path: '{{outputDirectory}}/sbom/{{projectName}}-{{projectVersion}}-sboms.zip'
 distributions:
   toolfetch:
     type: 'BINARY'
     artifacts:
-      - path: '{{assembleDirectory}}/{{projectName}}/archive/{{projectName}}-{{projectEffectiveVersion}}-linux-amd64.tar.gz'
+      - path: '{{assembleDirectory}}/{{projectName}}/archive/{{projectName}}-{{projectVersion}}-linux-amd64.tar.gz'
         platform: 'linux-x86_64'
         extraProperties:
           graalVMNativeImage: 'true'
-      - path: '{{assembleDirectory}}/{{projectName}}/archive/{{projectName}}-{{projectEffectiveVersion}}-linux-arm64.tar.gz'
+      - path: '{{assembleDirectory}}/{{projectName}}/archive/{{projectName}}-{{projectVersion}}-linux-arm64.tar.gz'
         platform: 'linux-aarch_64'
         extraProperties:
           graalVMNativeImage: 'true'
-
 assemble:
   archive:
     toolfetch:
@@ -76,7 +69,7 @@ assemble:
         longFileMode: 'POSIX'
         bigNumberMode: 'POSIX'
       artifacts:
-        - path: '{{assembleDirectory}}/{{projectName}}_binary/native-image/{{projectName}}-{{projectEffectiveVersion}}-{{osPlatformReplaced}}'
+        - path: '{{assembleDirectory}}/{{projectName}}_binary/native-image/{{projectName}}-{{projectVersion}}-{{osPlatformReplaced}}'
           transform: 'bin/{{projectName}}'
       fileSets:
         - input: "."
@@ -88,7 +81,7 @@ assemble:
           output: "licenses"
   nativeImage:
     toolfetch_binary:
-      executable: '{{projectName}}-{{projectEffectiveVersion}}'
+      executable: '{{projectName}}-{{projectVersion}}'
       archiving:
         enabled: false
       graalJdks:
@@ -100,13 +93,13 @@ assemble:
         - '-H:+UnlockExperimentalVMOptions'
         - '--enable-sbom=embed,cyclonedx,strict'
       mainJar:
-        path: '{{baseOutputDirectory}}/{{projectName}}-{{projectEffectiveVersion}}.jar'
+        path: '{{baseOutputDirectory}}/{{projectName}}-{{projectVersionNumber}}.jar'
       jars:
         - pattern: '{{baseOutputDirectory}}/third-party/lib/*.jar'
       java:
         mainClass: 'com.jdheim.{{projectName}}.Main'
     toolfetch_debug:
-      executable: '{{projectName}}-{{projectEffectiveVersion}}'
+      executable: '{{projectName}}-{{projectVersion}}'
       archiving:
         enabled: false
       graalJdks:
@@ -118,19 +111,18 @@ assemble:
         - '-H:+UnlockExperimentalVMOptions'
         - '-H:+JDWP'
       mainJar:
-        path: '{{baseOutputDirectory}}/{{projectName}}-{{projectEffectiveVersion}}.jar'
+        path: '{{baseOutputDirectory}}/{{projectName}}-{{projectVersionNumber}}.jar'
       jars:
         - pattern: '{{baseOutputDirectory}}/third-party/lib/*.jar'
       java:
         mainClass: 'com.jdheim.{{projectName}}.Main'
-
 hooks:
   script:
     success:
       # Generate SBOM
       - run: |
           if [[ "${JRELEASER_ASSEMBLE_NATIVE_IMAGE_TOOLFETCH_BINARY_ACTIVE}" == "ALWAYS" ]]; then
-            binary="$(find {{assembleDirectory}} -type f -name "{{projectName}}-{{projectEffectiveVersion}}-{{osPlatformReplaced}}" -executable)"
+            binary="$(find {{assembleDirectory}} -type f -name "{{projectName}}-{{projectVersion}}-{{osPlatformReplaced}}" -executable)"
             if [[ -z "${binary}" ]]; then
               echo "[sbom] Missing {{projectName}} binary"
               exit 1
@@ -139,7 +131,7 @@ hooks:
               echo "[sbom] Generate SPDX SBOM with Syft $(syft --version | awk '{print $2}')"
               sbomDirectory="{{outputDirectory}}/sbom"
               mkdir -p "${sbomDirectory}"
-              sbom="${sbomDirectory}/{{projectName}}-{{projectEffectiveVersion}}-{{osPlatformReplaced}}.spdx-json.sbom"
+              sbom="${sbomDirectory}/{{projectName}}-{{projectVersion}}-{{osPlatformReplaced}}.spdx-json.sbom"
               syft file:"${binary}" -o spdx-json="${sbom}"
             else
               echo "[sbom] Syft not installed. Skipping"
@@ -151,7 +143,7 @@ hooks:
       # Compress with UPX
       - run: |
           if [[ "${JRELEASER_ASSEMBLE_NATIVE_IMAGE_TOOLFETCH_BINARY_ACTIVE}" == "ALWAYS" ]]; then
-            binary="$(find {{assembleDirectory}} -type f -name "{{projectName}}-{{projectEffectiveVersion}}-{{osPlatformReplaced}}" -executable)"
+            binary="$(find {{assembleDirectory}} -type f -name "{{projectName}}-{{projectVersion}}-{{osPlatformReplaced}}" -executable)"
             if [[ -z "${binary}" ]]; then
               echo "[sbom] Missing {{projectName}} binary"
               exit 1
@@ -173,7 +165,7 @@ hooks:
       - run: |
           if [[ "${JRELEASER_ASSEMBLE_NATIVE_IMAGE_TOOLFETCH_BINARY_ACTIVE}" == "ALWAYS" ]]; then
             echo "[native-image] Copy a native image to the target directory"
-            find {{assembleDirectory}} -type f -name "{{projectName}}-{{projectEffectiveVersion}}-{{osPlatformReplaced}}" -executable -exec cp -v {} {{baseOutputDirectory}}/{{projectName}} \;
+            find {{assembleDirectory}} -type f -name "{{projectName}}-{{projectVersion}}-{{osPlatformReplaced}}" -executable -exec cp -v {} {{baseOutputDirectory}}/{{projectName}} \;
           fi
         verbose: true
         filter:
@@ -189,8 +181,8 @@ hooks:
               cp -v {{baseOutputDirectory}}/jdks/graalvm-{{osPlatformReplaced}}/{{graalVmDir}}/lib/libsvmjdwp.so ${HOME}/.libsvmjdwp/graalvm-{{osPlatformReplaced}}/{{graalVmDir}}/
             fi
             cp -v ${HOME}/.libsvmjdwp/graalvm-{{osPlatformReplaced}}/{{graalVmDir}}/libsvmjdwp.so {{baseOutputDirectory}}
-            find {{assembleDirectory}} -type f -name "{{projectName}}-{{projectEffectiveVersion}}-{{osPlatformReplaced}}" -executable -exec cp -v {} {{baseOutputDirectory}}/{{projectName}} \;
-            find {{assembleDirectory}} -type f -name "{{projectName}}-{{projectEffectiveVersion}}.metadata" -exec cp -v {} {{baseOutputDirectory}}/{{projectName}}.metadata \;
+            find {{assembleDirectory}} -type f -name "{{projectName}}-{{projectVersion}}-{{osPlatformReplaced}}" -executable -exec cp -v {} {{baseOutputDirectory}}/{{projectName}} \;
+            find {{assembleDirectory}} -type f -name "{{projectName}}-{{projectVersion}}.metadata" -exec cp -v {} {{baseOutputDirectory}}/{{projectName}}.metadata \;
           fi
         verbose: true
         filter:
@@ -209,25 +201,24 @@ hooks:
               echo "[sbom] Missing SBOM"
               exit 1
             fi
-          
+
             valid=true
             for sbom in ${sboms}; do
               if ! grep -q "info.picocli-picocli" "${sbom}"; then
                 valid=false
                 break
               fi
             done
-          
+
             if [[ "${valid}" != "true" ]]; then
               echo "[sbom] Missing libraries in SBOM"
               exit 1
             fi
-            zip -j "${sbomDirectory}/{{projectName}}-{{projectEffectiveVersion}}-sboms.zip" ${sboms}
+            zip -j "${sbomDirectory}/{{projectName}}-{{projectVersion}}-sboms.zip" ${sboms}
           fi
         verbose: true
         filter:
           includes: [ 'assemble' ]
-
 release:
   github:
     releaseName: '{{tagName}}'
@@ -262,4 +253,4 @@ release:
         contributors:
           - 'p-marcin'
           - 'dependabot'
-          - 'GitHub'
+          - 'jdheim-repository'